Deprecate catalog replacements and whitelists
Bug #1383817 reported by
David Stanek
This bug affects 1 person
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
OpenStack Identity (keystone) |
Fix Released
|
High
|
David Stanek |
Bug Description
Bug #1354208 reported a security flaw in the way that we performed substitution for catalog URLs. The immediate solution was to add a whitelist of config fields that are safe to use with substitution. The long term goal is to get rid of this feature and only allow tenant_id and user_id to be used for substitution.
The first step for the Kilo release is to deprecate the feature.
Changed in keystone: | |
status: | In Progress → Fix Committed |
Changed in keystone: | |
status: | Fix Committed → Fix Released |
Changed in keystone: | |
milestone: | kilo-1 → 2015.1.0 |
To post a comment you must log in.
Fix proposed to branch: master /review. openstack. org/130013
Review: https:/